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The work by Christandl, Konig and Renner [Phys. Rev. Lett. 102, 020504 (2009)] provides in 
particular the possibility of studying unconditional security in the finite-key regime for all discrete- 
variable protocols. We spell out this bound from their general formalism. Then we apply it to the 
study of a recently proposed protocol [Laing et al, Phys. Rev. A 82, 012304 (2010)]. This protocol is 
meaningful when the alignment of Alice's and Bob's reference frames is not monitored and may vary 
with time. In this scenario, the notion of asymptotic key rate has hardly any operational meaning, 
because if one waits too long time, the average correlations are smeared out and no security can be 
inferred. Therefore, finite-key analysis is necessary to find the maximal achievable secret key rate 
and the corresponding optimal number of signals. 

PACS numbers: 03.67.Dd, 03.67.Ac 



I. INTRODUCTION 

Quantum key distribution (QKD) provides a way of distributing secret keys for use in secure communication 
[TJ[2]. Started by Bennett and Brassard in 1984 (BB84, [3]) and by Ekert in 1991 [4 , QKD has posed several 
challenges, both theoretical and experimental, which have been met to a large extent. One of those challenges has 
been the derivation of security bounds that take into account the finite number N of exchanged quantum signals, 
i.e. the finite size of the keys one has to work with. The tools for such a study were remarkably anticipated by 
Mayers in his very first unconditional security proof [S], but for several reasons the full solution was delayed by 
more than 10 years. Hayashi's formalism [5] was tailored for the BB84 protocol. The approach by Renner and 
one of us 7 -9 is in principle more flexible but is limited to collective attacks in general: unconditional security 
could be claimed only for BB84 and those other few protocols, in which the bound for collective attacks is known 
to coincide with the one for the most general attacks [10]. Recently, Christandl, Konig and Renner developed 
some very general mathematical tools [TJJ, one of whose applications is the derivation of finite- key bounds for 
any discrete- variable protocol (for the status of the question in continuous- variable protocols see |12j). 

In this paper, we spell out explicitly the method to compute the finite-key QKD bound described in [TT]. This 
new tool can be used to compute unconditional security bounds in the finite-key regime for protocols like Bennett 
1992 (B92 [13]), Scarani- Acm-Ribordy-Gisin 2004 (SARG04 HUES]) or protocols based on the violation of Bell's 
inequalities [161 117) . As an application, we have rather chosen the reference frame independent protocol proposed 
by Laing et al. |18j . This protocol is useful in situations, in which the alignment of reference frames between 
Alice and Bob is not monitored and may vary in time. In this study we consider the finite key analysis of this 
protocol, in light of the fact that the reference frames relations in these scenarios will not only be unknown, but 
may also be fluctuating over the course of the protocol. Under these assumptions, one must find that optimal 
secret key rates are reached for a finite number of signals: if Alice and Bob wait too long time, their correlations 
will be smeared due to the misalignment of the frames. 

The paper is arranged as follows. In Section [TT] we present the new method for finite key analysis against 
coherent attacks. In Section [lll[ we use this method to analyze the reference frame independent protocol for two 
cases of drifting phase references: firstly, one frame rotating at constant speed relative to the other; secondly, the 
angle between the frames fluctuating according to a random walk. Lastly, in Section |IV| the implications of the 
results are considered. 



II. FINITE KEY ANALYSIS METHOD 

We start by summarizing the notations and the bound for collective attacks, as discussed in detail in previous 
works [ZrEl E] . Then we present the new bound extracted from [TT] . 
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A. Notations and bound for collective attacks 



Let N be the number of signals sent by Alice that are received by Bob. In addition to the error rate in the raw 
key, denoted Q, the protocol uses npE parameters V = {v±, v npE } to bound Eve's information. For simplicity, 
we consider asymmetric protocols |19j . in which n signals are used to create the raw key, while other signals are 
used to estimate the other parameters (the secret key rate for the symmetric protocol is larger by tipe + 1 at most 
and becomes the same in the asymptotic limit) . The number of signals devoted to estimating Vj is written rrij . 

Let now epa be the probability that privacy amplification fails, and £pe the probability that the real value 
of a parameter lies outside of the chosen fluctuation range. There is a third error probability, denoted e, which 
measures the accuracy of estimation of the smooth min-entropy. Finally, there is a probability eec that error 
correction fails, which is determined by the choice of the error correction code. Because of the composability of 
the bound, in the worst case, the probability e co i that the quantum key distribution protocol fails does not exceed 
the sum of the probabilities of failure in different phases of the protocol: 

£col = £pa + e + n PE £pE + £ EC- (1) 

The user can choose e co i and £ec; the other parameters can be optimized under the constraint 

If the key alphabet is made by d-valued symbols, the secret key fraction against collective attacks is given by 



n 



min H(A\E) - H(A\B) - - log — - - log — - (2d + 3) J log(2/e) (2) 

£|V±AV(e PE ) Tl EEC n £PA V n 



where we are assuming that the yield of the error correction protocol is perfect, to reach the Shannon limit, 
H(A\B). 



B. Beyond collective attacks 



Previous works [THS] used the bound above to claim unconditional security for the BB84 and the six-state 
protocols, as well as for their natural high-dimensional generalizations, because for those protocols the bound 
for collective attacks coincides with the one for coherent attacks [TU]. But, for protocols using a less symmetric 
encoding, there is no guarantee that this is the case. The most general attacks are impossible to parametrize. 
Therefore, the generic recipe for unconditional security consists, in a nutshell, in bounding the possible advantage 
of coherent attacks over the collective ones, then computing the bound for collective attacks with the suitable 
overhead terms. 

The first such approach used the exponential de Finetti theorem |20[ 12 lj . This theorem bounds the distance 
between any state p^ B that leads to permutationally invariant statistics for Alice and Bob, and n-fold product 
states cr®2 (or mixtures thereof), i.e. exactly the states that a collective attack would produce. The overhead 
obtained by this theorem turns out to be very heavy, so much so that it would make finite-key bounds unrealis- 
tically pessimistic (Figure [2]) . This fact was stressed already in [7] , but the explicit expressions and results were 
not given, so we present them in Appendix [A] 

The de Finetti theorem is tight if one wants to compare the attacks at the level of the states. Christandl, Konig 
and Renner |llj noticed that, for the sake of QKD and other quantum information processing tasks, a much less 
refined comparison is actually sufficient. 

They found that it suffices to consider the distance between two permutation invariant maps and how this 
distance changes when acting on states that result from a general attack rather than on states from resulting 
from a collective attack. The maps are the one describing the QKD protocol being implemented and an idealized 
scheme which takes any quantum state as an input and distributes two classical perfectly correlated random 
strings to Alice and Bob. See Figure [l] 

In summary: let us fix e co h as the tolerable failure probability of the secret key against coherent attacks. Then, 
the resulting expression for the secret key rate is 



2(d 4 - l)log(JVH-l) 

rN = r NjC0 n — 



(3) 
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FIG. 1: Consider the distance, A, between the permutation invariant maps £, implementing the QKD protocol, and 
J- — S o £ , where the map 5 is a hypothetical process that takes an imperfect key to a perfect one. This distance can 
be found when the maps act on the de-Finetti-Hilbert-Schmidt state, which describes the case for collective attacks, and 
the increase in A can be bounded when the same two maps act on an arbitrary state, the case for coherent attacks. This 
model is from [11] , 



where the bound for collective attacks ([2]) is computed under the constraint ([T]) for the security parameter 

ecoi-ecoh^V + ir^^. (4) 

The improvement that this technique gives over the use of the exponential de Finetti theorem is illustrated in 
Figure [5] For the BB84 protocol the optimal coherent attack is a collective attack and therefore the line (a) is 
the best bound for security. However, if that were not known to be the case, the post-selection technique gives 
a bound close to the optimal one; whereas the bound obtained using the de Finetti is substantially worse and 
would imply the practical impossibility of obtaining a key in QKD. 



III. CASE STUDY: REFERENCE FRAME INDEPENDENT PROTOCOL 



A. Review of the Protocol 



We briefly describe the reference frame independent protocol |18j . In the prepare and measure scenario, Alice 
sends to Bob a qubit prepared in an eigenstate of three mutually unbiased bases {Xa, Ya, Za} chosen at random 
but not necessarily with the same probability. Bob then receives a qubit which may be tampered by Eve and 
measures in his own basis chosen among a possibly different set of mutually unbiased bases {Xb, Yb, Zb}- The 
equivalent entanglement based version is that Alice and Bob receive a pair of entangled qubits in a state pab 
which is in the ideal case, and perform the local measurements defined by the above-mentioned bases on 

them. The measurements can be described by a vector in the Bloch sphere which we will refer to by direction. 
Unlike usual protocols, where the reference frames orientations are actively monitored using the classical channel, 
this protocol requires one well defined direction Za = Zb while the other two directions are related by an unknown 
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FIG. 2: Secret key fraction for BB84 vs. the number of signals N for 3 different finite analysis bounds (a) collective attacks, 
(b) the post-selection technique, and (c) the exponential de Finetti theorem. 



transformation 



X B = cos (3X A + sin /3Y A , Y b — cos f3Y A — sin /3X_ 



A ■ 



(5) 



At the end of the signal exchange phase, they reveal their bases. This protocol is intrinsically asymmetric, in 
that the different bases play different roles. The raw key consists of the cases where both have measured in the 
Z basis, and is characterized by the quantum bit error rate 



1 - (Z A Z B ) 



(6) 



Eve's information is quantified by the parameter 

C = (X A X B ) 2 + (X A Y B ) 2 + (Y A X B ) 2 + (Y A Y B ) 2 < 2 



(7) 



where C — 2 guarantees maximal entanglement. Note that four measurements are needed to estimate C, so the 
actual parameters that are measured are 



«i = (X A X B ) , v 2 = (X A Y B ) , v 3 = (Y A X B ) , v 4 = (Y A Y B ) 



(8) 



The expression ^ has been chosen because it is independent of /3: it retains its value even if Alice's and Bob's 
frames are misaligned. In the asymptotic limit, the information that Eve can gain from coherent attacks is upper 
bounded by 



where 



I E (Q,C) = (l-Q)h 



l-Q' 



Qh 



1 + v(u max ) 



>{u max ) = ~VC/2-(l-Q) 2 



(9) 



(10) 



and h(x) is the binary entropy. This result holds in the range < Q < 15.9%, which is perfectly reasonable for 
the quality of optical lines. 



5 



Obviously, this protocol becomes of interest if j3 varies in time: if the frames are possibly misaligned but are 
guaranteed to be fixed in time, one would just align them once and for all. However, it takes time to collect 
enough data to estimate the four average values that enter the expression of C: the misalignment of the frames 
during this time leads to a smearing of the correlations and the consequent decrease of C. In particular, if one 
waits to accumulate a very large number of signals, C will ultimately drop so much that no security can be 
inferred: in other words, the asymptotic rate ^ somehow assumes not only that infinitely many signals can be 
collected, but also that f3 is fixed. In all meaningful situations, not only the realistic secret key rate, but also the 
optimal one must be determined by finite-key analysis. This is the object of what follows. 

B. Computing the finite- key bound 

Let us particularize the parameters that enter the finite-key bound ([3| to the protocol under study. We denote 
by pz the probability that Alice and Bob choose the key basis Z; we assume that the other two bases are chosen 
with equal probability px — Py = 1 — %Pz = P- So the raw key consists of n — N p z signals, while each of the 
correlators Vj is estimated using m = Np 2 signals. 

The quantity minE|v±AV(ep E ) H(A\E) is given by 1—Ie{Q', C) where Q' and C would be the perfect estimates, 
which are related to the observed values (Q, C) by assuming the worst case fluctuations, i.e. by increasing the 
error Q and reducing the correlations Vj. Specifically, Q' = Q + 6(n) and v'j = Vj — 5(m) where 

ln(l/gp E )+21n(fc + l) 

2k [ ' 

As in previous works we us the the Law of Large Numbers as presented in Cover and Thomas, Theorem 11.2.1 [2*21 . 
Other estimates have been studied [23]. Finally, H(A\B) = h(Q) where the expression is a function of the observed 
Q and not Q'\ the EC code must correct only the errors that have actually happened. 

At present, we have everything: one just has to choose the desired security level e co h, give the values of N, 
£ ECi Q arL d C, then maximize over the other parameters under the constraints ([I]) and Q. As anticipated, 
we are going to study the effects of the time variations of (3. 

C. Dynamics of C for varying j3 

The real evolution of ft during the protocol is, by definition, unknown: its monitoring would provide the 
information needed to align the frames. But in order to design a protocol and choose the suitable parameters, 
one must make a guess of how this evolution will be. This prior guessing is not proper to this protocol: it is 
a general necessity when one wants to make estimates before running the experiment (for a full discussion, see 
paragraph 2.3 in [5]). 

Let us start by rewriting ^ and (JsJ) as 

Vl (t) = wi(0)cos/3(t) + v 2 (0)sm(3(t) , v 2 {t) = v 2 (0) cos /3(t) - Wl (Q) sin^(i) , (12) 
v 3 (t) = u 3 (0)cos/3(t) + u 4 (0)sin/3(t) , v 4 (t) = u 4 (0) cos /3(f) - v 3 (0)sm/3(t) . (13) 

These are the "instantaneous values" , i.e. the correlations that one would observe by freezing the frames at time 
t. Now, for simplicity we assume that the N signals one is going to collect are equally spaced in time with an 
interval r. Then the observed correlations over the time T/v required to collect the N signals will be given by 
^■(T/v) = jj 12k=o v j(^ T )- I n other words, denoting 

JV-l 

- J2^ {kT) = c N + ts N , (14) 

k=0 

the Uj(Tjv) are just the Vj(t) with cos fi(t) replaced by cat and sin/3(t) replaced by sn- It is also easy to verify 
that the observed value of C will be 




C(T N ) - C(Q) (4 + 4) 



(15) 
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the quality of the initial correlations is captured by C(0) and is factored out from the smearing due to the 
variations of /3. 

Let us particularize now for two possible dynamics: 



The frames drift apart at a constant angular velocity 9(t) = tot. Then 

1 l-e i6N 



cn + isn 



N l-e l 



with 9 — lot . 



This leads in particular to 



C(T N ) = C(0) 



1 - cos(6W) 
N 2 (l-cos9) 



(16) 



(17) 



As 9 — > 0, the continuous sampling limit is recovered of C(T/v) = C(0) 2 ^ /£g\2 N ^ ■ 

• The relative angle is following a random walk behavior: j3 changes by ±9 randomly in the time r. One is 
led to compute the average value of the sine and cosine of a random walk, i.e. 



N/2 

c N + is N = e i9{2k) P N {2k) = (cosf 

k=-N/2 



(18) 



where Pn(<1) = {(N+d)/2) 1S ^ [ie probability of travelling a distance d £ {— N, ...N} in N steps. This leads 



to 



C(Tjv) = C(0)(cosl 



\2N 



(19) 



In both cases, of course, C(Tjv) goes to zero for large N. The effect of this smearing on the finite-key secret 
key rate is shown in Figure [3j 
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FIG. 3: Secret key fraction for (a) the frames drifting apart at constant angular velocity with ^ = ^fg x 1(F 10 , (b) fixed 
frames, (c) one frame drifting relative to the other according to a random walk with the different rate of 
per step. The for both plots security parameter is e = 1CP J , C(0) = 1.72, and Q = 5%. 
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IV. CONCLUSION 



We have studied the application of the post-selection technique of [TT] to QKD protocols in finite-key scenarios 
to extend security bounds for collective attacks to bounds for coherent attacks. We have compared it explicitly 
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to the bounds recovered for finite keys using the de Finetti theorem. We demonstrate how to compute this new 
bound by applying it to the reference frame independent protocol of |f8j . In addition, we have considered two 
physically plausible scenarios for the case of unaligned reference frames: that one frame may be rotating relative 
to the other, or that one frame may be executing a random-walk-type drift relative to the other. 

The most prominent feature in these two cases is that the asymptotic limit does not give the best key fraction. 
This can be seen in Figure [3j The reason is that the longer we collect the signals, the lower the value of the 
security parameter C becomes. For a fixed u or 9, there exists an optimal block of size N to obtain the best 
secret key fraction. If more key is required, the protocol should be terminated and restarted after each block. 
Hence any practical application of the reference frame independent protocol should aim for this optimal number 
of signals to be exchanged in a run of key distribution. 
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Appendix A: De Finetti 



Here we consider the bound which can be derived from using the de Finetti bound when using ei-dimcnsional 
systems following the results of 20J . 

Now, of the sifted signals N s , m will be used for parameter estimation and k systems are traced over to make 
use of the de Finetti theorem by bounding the remaining systems to have been very close to a mixture of product 
states a® n . Thus, n — N s — m — k is the number of remaining systems that can be put towards the key, but since 
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it is not yet secure, this is the raw key. 

_\Q\ 

Let the state p n be the permutationally invariant output of a quantum key distribution protocol. Because the 
state p'n is in general not exactly of product form, for any \0), it is a pure state of the symmetric subspace of •%® ra 
such that p'n = J2n \9)® n ~ t ® \4>) t , where the sum is over all permutations, tt, for some t such that < t < m/2. 
In some sense, t can be thought of as quantifying the distance that the state p' n is from the perfect pure n-fold 
product state. 

So we can now introduce an error, £d C F, that parameterizes t: 

£coh = £PA + £ + 71 PE £PE + £ EC + £doF- (Al) 

where t = (2 ln(2/e dcF ) + d 4 ln(fc)) [20]. 

The maximum error in the parameter estimation, assuming m samples, is now: 



S(m) = 1/(1 + ln2) h (-) + Hl/e PE ) + dHm/2 + l) 
a — 1 y \m J m 

where k is optimized over. We see then that if k is larger, t can be smaller (the form of the raw key state can 
constrain Eve to collective attacks more closely), however, this reduces the size or the raw key, so there is a 
trade-off. 

The term giving the privacy amplification correction is also modified [20j . so that the final rate is given by 



n 

?"jV,coh,dcF = -jy 



min H(A\E) - H(A\B) - -log— (A3) 

£|V±AV( £PE ) n e E c 



- log(l/ £pA ) - -(m + k) \og(d 2 ) - (U + 4^ \ / log(2/£) + h (t/ n ) . (A4i 
n n \ I I V n 



These expressions can be used in equation ([2| to get a bound for coherent attacks. 



Appendix B: Derivation of Eqs. §3^ and Q from Ref. 

General coherent attacks can be bounded in terms of collective attacks for general permutation invariant 
protocols by using the method introduced in [TT] . 

First, it is usually easier to prove that a protocol is secure against collective attacks than coherent ones, so the 
problem is approached for a particular state, the de-Finetti-Hilbert- Schmidt state t^n b n , which represents the 
mixture over states that could be held by Alice and Bob after Eve makes a collective attack. This state is defined 
as: 

T A N B N = J cfjjdHSCAB (Bl) 

where djjs is the measure induced by the Hilbert-Schmidt metric, Ahs(-^ — Y) = \\X — F||hs an d II-^Hhs = 
Tr(XtX). 

Let £ be the actual protocol for which security is to be proven and JF be an ideal key-generation protocol 
composed of the actual protocol £ and a map S that takes classical inputs and outputs a perfectly random 
perfectly correlated key string, i.e. T — S o £ that for any inputs gives Alice and Bob the output of an ideal key. 
(See Figure [TJ) The main theorem of [TT] guarantees the security of this protocol against any coherent attack 

A(£,F) p <(N + l) di - 1 A(£,F) T , (B2) 

where A(£, F) p and A(£,J-) T are the diamond-norm distances between the protocols for arbitrary states p and 
the de-Finetti-Hilbert-Schmidt state r respectively, and iV is the number of signals or subsystems each with 
dimension d 2 (bipartite qudits shared by Alice and Bob). Since p is an arbitrary state it can correspond to an 
arbitrary quantum-mechanically-allowed attack by Eve. 
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In order to find the secret key fraction for finite length keys, it is also necessary to consider the effect of Eve's 
possession of the purification of Pa n b n ■ This is already considered for collective attacks when the min-entropy of 
Alice's information given Eve's, H min (A\E) , is used to bound the secret key fraction. Let He be the system Eve 
holds that purifies a ab- (See Figure|4j) Now it is necessary to also include the extra information she may have as 
a result of holding the purification of the mixture of the state on N systems t' an bn en = J &abe ^(^abe) where 
d(-) is the Haar measure over pure states, oabe- Let the purification of this iV-system state be on the Hilbert 
space He'- So now we must consider H^ in (A N \E N E') in the equation for the secret key fraction. We use the 
entropy bound 

H^ D (A N \E N E>) > H^ in (A N \E N ) - 2H (E>). (B3) 

A space of dimension no more than (N + l) d _1 is needed to construct such a purification and so T-Le' cannot 
contain more than log [(N + l) d _1 ] bits of information. We therefore subtract twice this from the available 
entropy and divide by the number of signals N to obtain equation ([3]) . 




P A N B N E N E , 

FIG. 4: Eve's Hilbert space E purifies each entangled system space held by Alice and Bob. The remainder of Eve's space 
E' purifies the state r' on N systems which is a mixture over the possible pure product states ctabe- 

So, the post-selection technique gives another way to relate a bound that can be shown for collective attacks 
to a bound for an unknown optimal coherent attack, provided that there is a bound on the dimension of the 
systems being exchanged d. In other words, this result just as the de Finetti theorem cannot be used as such for 
continuous variables. 



